Skip to main content

Hester Core CVE-2026-57656

| EUVDEUVD-2026-39771 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-792x-cxvp-364w
5.9
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
4.8 MEDIUM

High privileges and user interaction required for injection; scope change confirmed; availability impact removed as XSS does not cause denial of service.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:09 vuln.today

DescriptionCVE.org

Author Cross Site Scripting (XSS) in Hester Core <= 1.1.8 versions.

AnalysisAI

Stored/reflected Cross-Site Scripting in the Hester Core WordPress plugin (versions ≤ 1.1.8) allows a high-privileged authenticated user to inject malicious JavaScript into author-related fields, which then executes in victims' browsers when they view affected content. The CVSS scope change (S:C) confirms the injected script escapes the originating context and impacts other users' sessions, potentially enabling session hijacking, credential theft, or malicious redirects. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise high-privilege WordPress account
Delivery
Inject XSS payload into author field
Exploit
Victim visits page rendering author data
Execution
Malicious script executes in victim browser
Impact
Exfiltrate session tokens or credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with high WordPress privileges (PR:H) - specifically an account capable of editing author fields, such as the Author, Editor, or Administrator role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-reported CVSS score of 5.9 (Medium) reflects the meaningful constraint of PR:H - exploitation requires a high-privilege WordPress account (administrator or author role), sharply limiting the attacker population. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or compromised a WordPress author or administrator account navigates to the author profile or post editor and injects a JavaScript payload (e.g., a cookie-stealing script) into an author-related field. When any site visitor loads a page that renders that author's data, the script silently executes in their browser, exfiltrating session cookies or redirecting the victim to a phishing page. …
Remediation The primary remediation is to update the Hester Core WordPress plugin to a version beyond 1.1.8 - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/hester-core/vulnerability/wordpress-hester-core-plugin-1-1-8-cross-site-scripting-xss-vulnerability for the confirmed fixed release version, as no exact patch version number was independently provided in the available intelligence data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57656 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy